Analysis
-
max time kernel
145s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 06:36
Static task
static1
Behavioral task
behavioral1
Sample
3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe
Resource
win10v2004-20220414-en
General
-
Target
3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe
-
Size
361KB
-
MD5
1e4e3ab0d662c3f8a47c67ed427a154f
-
SHA1
c96cf36141dd1a2a88bcaf3881f233a40854fb2b
-
SHA256
3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a
-
SHA512
879ac733fc2cfd57561ce65a92bab41d47484da3b7e7e2c430359bfa0301f1f3fcf253d181ed1bc7fbf20861b35cdc871acc9cf461909e69936fadaa58c4936e
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ACCTient.exepid process 1228 ACCTient.exe -
Deletes itself 1 IoCs
Processes:
ACCTient.exepid process 1228 ACCTient.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1736 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audiedit = "C:\\Users\\Admin\\AppData\\Roaming\\bitsmuid\\ACCTient.exe" 3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ACCTient.exesvchost.exedescription pid process target process PID 1228 set thread context of 1708 1228 ACCTient.exe svchost.exe PID 1708 set thread context of 1312 1708 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ACCTient.exeExplorer.EXEpid process 1228 ACCTient.exe 1312 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
ACCTient.exesvchost.exepid process 1228 ACCTient.exe 1708 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.execmd.execmd.exeACCTient.exesvchost.exedescription pid process target process PID 1620 wrote to memory of 1728 1620 3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe cmd.exe PID 1620 wrote to memory of 1728 1620 3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe cmd.exe PID 1620 wrote to memory of 1728 1620 3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe cmd.exe PID 1620 wrote to memory of 1728 1620 3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe cmd.exe PID 1728 wrote to memory of 1736 1728 cmd.exe cmd.exe PID 1728 wrote to memory of 1736 1728 cmd.exe cmd.exe PID 1728 wrote to memory of 1736 1728 cmd.exe cmd.exe PID 1728 wrote to memory of 1736 1728 cmd.exe cmd.exe PID 1736 wrote to memory of 1228 1736 cmd.exe ACCTient.exe PID 1736 wrote to memory of 1228 1736 cmd.exe ACCTient.exe PID 1736 wrote to memory of 1228 1736 cmd.exe ACCTient.exe PID 1736 wrote to memory of 1228 1736 cmd.exe ACCTient.exe PID 1228 wrote to memory of 1708 1228 ACCTient.exe svchost.exe PID 1228 wrote to memory of 1708 1228 ACCTient.exe svchost.exe PID 1228 wrote to memory of 1708 1228 ACCTient.exe svchost.exe PID 1228 wrote to memory of 1708 1228 ACCTient.exe svchost.exe PID 1228 wrote to memory of 1708 1228 ACCTient.exe svchost.exe PID 1228 wrote to memory of 1708 1228 ACCTient.exe svchost.exe PID 1228 wrote to memory of 1708 1228 ACCTient.exe svchost.exe PID 1708 wrote to memory of 1312 1708 svchost.exe Explorer.EXE PID 1708 wrote to memory of 1312 1708 svchost.exe Explorer.EXE PID 1708 wrote to memory of 1312 1708 svchost.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe"C:\Users\Admin\AppData\Local\Temp\3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\AD14\568A.bat" "C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe" "C:\Users\Admin\AppData\Local\Temp\3A25AC~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe" "C:\Users\Admin\AppData\Local\Temp\3A25AC~1.EXE""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe"C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe" "C:\Users\Admin\AppData\Local\Temp\3A25AC~1.EXE"5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AD14\568A.batFilesize
108B
MD566357986ca32c520667f9434c6ebeaf3
SHA13b6f8286a7685a44630c2657b01ac3b234cda755
SHA2563be0d761f54fbe8b45d22e07cf77da245bb59c78c18c055e4e76685a98ebec25
SHA51216aac55744f9cac7449b77c9cac15456645208d91f826206814181e3d13cda4f7e60bd0e7323e1e5d851332e41456a1c24927bd372b2bceb650beb6ebf5b7f2a
-
C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exeFilesize
361KB
MD51e4e3ab0d662c3f8a47c67ed427a154f
SHA1c96cf36141dd1a2a88bcaf3881f233a40854fb2b
SHA2563a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a
SHA512879ac733fc2cfd57561ce65a92bab41d47484da3b7e7e2c430359bfa0301f1f3fcf253d181ed1bc7fbf20861b35cdc871acc9cf461909e69936fadaa58c4936e
-
C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exeFilesize
361KB
MD51e4e3ab0d662c3f8a47c67ed427a154f
SHA1c96cf36141dd1a2a88bcaf3881f233a40854fb2b
SHA2563a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a
SHA512879ac733fc2cfd57561ce65a92bab41d47484da3b7e7e2c430359bfa0301f1f3fcf253d181ed1bc7fbf20861b35cdc871acc9cf461909e69936fadaa58c4936e
-
\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exeFilesize
361KB
MD51e4e3ab0d662c3f8a47c67ed427a154f
SHA1c96cf36141dd1a2a88bcaf3881f233a40854fb2b
SHA2563a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a
SHA512879ac733fc2cfd57561ce65a92bab41d47484da3b7e7e2c430359bfa0301f1f3fcf253d181ed1bc7fbf20861b35cdc871acc9cf461909e69936fadaa58c4936e
-
memory/1228-63-0x0000000000000000-mapping.dmp
-
memory/1228-66-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1228-68-0x0000000000270000-0x00000000002A0000-memory.dmpFilesize
192KB
-
memory/1312-71-0x00000000029B0000-0x0000000002A25000-memory.dmpFilesize
468KB
-
memory/1312-72-0x00000000029B0000-0x0000000002A25000-memory.dmpFilesize
468KB
-
memory/1620-57-0x0000000000230000-0x0000000000260000-memory.dmpFilesize
192KB
-
memory/1620-54-0x0000000075951000-0x0000000075953000-memory.dmpFilesize
8KB
-
memory/1620-55-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1708-69-0x0000000000000000-mapping.dmp
-
memory/1708-70-0x0000000000230000-0x00000000002A5000-memory.dmpFilesize
468KB
-
memory/1728-58-0x0000000000000000-mapping.dmp
-
memory/1736-60-0x0000000000000000-mapping.dmp